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<?xml verslon="1.0" ?> 
- <AgentProtocol xmins="http://www.nal.com" 

xmIns:xsl="http://www-w3-org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nal.coni CustomAction5Protocol.xsci"> 

- <ControIData> 

<Version>0x01000001<A^ersion> 
<MmVerslon>0x01000001</MinVersion> 
< Command >RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</Contro!Data> 

- < Custom Actions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dir'> 

- <Method id=''GetRegStringVafue"> 

<Parameter id="Key'' type="xs:strlng" 

inout="m"><AGENT_INSTALLED__REGKEY></Parameter> 
<Parameter id="Vafuename" type="xs:strlng" 

mout="in">AgentVersion</Parameter> 
<Parameter id="Result" type="xs:string" mout="out" /> 
</Method> 
</CustomActions> 

- <CustomActions id= "{06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id="{C9ElCCO3-80O7-412A-8F5D-532C57DF4482}"> 

- <Method id =" Executes! lentlnsta Ha tlon"> 

<Parameter id="ProductName" type ="xs: string" 

inout="in">TestInstallProduct</Parameter> 
< Parameter id="ProductVersion" type="xs:declmar 

inout="in">Ox01000001</Parameter> 
<Parameter id="Locatlon" type="xs: string" 

inout="ln">c:\InstallImages</Parameter> 
<Parameter id="Result" type="xs:strlng" inout="out" /> 
</Method> 
</Interface> 

- <Interface ld = "{C9ElCC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method !d="GetSystemDirectory"> 

<Parameter id =" Directory" type="xs:string" inout="out" /> 
<Parameter id="ResuIt" type="xs:decimai" inout="out" /> 
</Method> 
</Interface> 
< / Custom Actions> 

- <CustomActlons id = "{06E0062B-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface id="{A000CC03-8007-412A-8F5D-532C57DF4482}"> 

- <Method id="TriggerEvent"> 

<Parameter id="EventID" type ="xs: decimal" 
inout="!n">1000</Parameter> 

<Parameter ld="EventDescriptlon" type="xs:decimar 
inout="in">The event ^/>EventID% has been triggered by % 
USERNAME% on tomputer %COMPUTERNAME%. The % 
FILENAME% file is infected with o/oVIRUSNAME%. This has 
been detected by engineversion %ENGINEVEi^ION% 

datversion %DATVERSION%.<c/Parameter> 

<Parameter id="COMPUTERNAME" type="xs:string" 

inout="In">sourcecomputer</Parameter> 
<Parameter id="USERNAME" type="xs:string" 

inout5="in">sourceuser</Parameter> 
<Parameter id="FILENAME" type="xs:string" 

inout="in">kernel32-dII</Parameter> 
<Parameter id = "VIRUS NAME" type="xs:string" 

CUSTOM ACTIONS PROTOCOL RESP XML 
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inout="in">Nimbda</Parameter> 
<Parameter ld="ENGINEVERSION" type="xs:decimal" 

mout="in">0xO4005001</Parameter> 
<Parameter id = "DATVERSION ' type="xs:deciinal" 

inout="in">0x07003009</Parameter> 
<Parameter id="ResuIt" type="xs:string" inout="out" /> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocoI> 
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<?xmi verslon="1.0" ?> 
- <AgentProtocol xmlns="http://www.nai.com" 

xmlns:xsi="http://www-w3.org/2001/XMLSchema-lnstance" 
xshschemaLocation="http://www,nai-com CustomActionsProtocoi.xsd"> 

- <ControlData> 

<Version>Ox01000001</Version> 
<MinVersion>0x01000O01</MinVersion> 
<Command>RspondToCustomAction</Command> 
<Server>nedlwnts2ke</Server> 

</ControlData> 

- <CustomActions 

ld="<AGENT_INSTALLED_DIR>\\CustoinActionsLibrary\\CustActl.dir> 

- <Method id="GetRegStringVaIue"> 

<Parameter id="Result" type="xs:string" 
inout="out">5-0.1.10</Parameter> 

</Method> 
</CustomActions> 

- <CustomActions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="<C9ElCC03-8007-412A-8F5D-532C57DF4482>''> 

- <Method id="ExecuteSilentInstallatlon"> 

<Parameter id="Result" type="xs:string" inout="out">Error: Invalid 
Image path specified.</Parameter> 
</Method> 
</Intefface> 

- <Interface id="-CC9ElCC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id = "GetSy stem Directory "> 

<Parameter id="Directory" type="xs:string" 

inout="out">C:\Winnt\System32</Parameter> 
<Parameter id="Result" type="xs:decimal" 
inout = "out" > O </Pa ra meter > 
</Method> 
</Interface> 
</CustomActions> 

- <CustomActions id="-C06E0062B-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface ld="{A000CC03-8007-412A-8F5D-532C57DF4482}"> 

- <M€thod jd="TnggerEvent"> 

<Parameter ld="Resu!t" type=="xs:string" lnout= "out" > Event sent to 
testco m p u ter 2 </ Pa ra m eter > 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 

CUSTOM ACTIONS PROTOCOL RESP XML 
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<?xml version="1.0" ?> 
- <AgentProtocol xmIns="http://www.nai.com" 

xmlns:xsi="http://www.w3.6rg/2001/XMLSchenia-instance" 
xsi:schemaLocation="http://www,nai.com CustomActionsProtocol.xsd 
http://www.nai.com AgentConfiguration-xscl"> 

- <ControlData> 

<Version>0x01000001</Version> 
<MinVersion>0x01000001</MinVersion> 
<Command>RequestCustomActlon</Commancl> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- < Custom Actions icI="RegistryMapplng,dll"> 
- <Method id="WriteConfig"> 

- <RegistryConfigu ration 

id="HKEY_LOCAL_MACHINE\SOFTWARE\McAfee"> 
- <Product id="Alert Manager"> 

<\/ersion> 0x04070000 </Version> 
<Dlsp!ayName>Alert Manager 4.7</DispJayName> 

- <Language {d="0407"> 

<Version>0x01000002</Version> 

- <Event id="l"> 

<LONGDESCRIPT>Das ist etne Test-Nachrlcht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severlty>5</Severlty> 
< Enabled > 1</Enabled> 
</Event> 
</Language> 

- <Language *rd="0409"> 

< Versio n > 0x0 100 0002 </Version > 

- <Event id="X'*> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>0</Severity> 
<Enabled>l</Enab!ed> 
</Event> 

- < Event id="2"> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 
</Language> 
</Product> 
</RegistryConfiguration> 
</Method> 

- <;Method id="ReadCoiifig"5> 

<RegistryConfiguration 

id="HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\*" /> 
</Method> 
</CustomActions> 
- <CustomActlons id="INIFiIeMapplng.dir> 

- <Method id="WriteConfig"> 

- <FileConfiguratfon id="C:\Program Files\Alert 
Manager\AMGConflg.inl"> 
- <Extensions> 

AGENT CONFIG CUSTOM ACTION XML 
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<amg>AMGConfig</amg> 
< asf > M P EG Vid eo </asf > 
<wmp>MPEGVideo2</wmp> 
</Extensions> 
</Fi!eConfigu ration > 
</Method> 

- <Method }d="ReadConfig"> 

<FileConfiguration id="C:\Program FiIes\Alert 
ManagerXAMGConfig.inr' /> 
</Method> 
</Custom Actions > 
- < Custom Actions id="MAPIMappmg.dli''> 

- <Method id="WriteConfig"> 

- <DAPIConfiguration id="/0=:org/OU=TestSite/CN=TestContainer"> 
<BinaryProperty>O123456789ABCDEF00000</BinaryProperty> 
</DAPIConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<DAPI Configuration id="/0=org/OU=TestSlte/CN=TestContainer" /> 
</Method> 
</Custom Actio ns > 
</AgentProtocol > 
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<?xml version="1.0" ?> 

<AMGEvents xmlns="http://www.nai.com" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com AMGEvents.xsd''> 

- <Product id="Alert Manager"> 

<Version>Ox04070000</Verslon> 
<DlsplayName> Alert Manager 4.7</DlsplayName> 

- <Language ld="0407"> 

<Versfon>0x01000002</Version> 

- <Event ld="l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Se ve ri ty > 5 </Se ve ri ty > 
<Enabled>l</Enabled> 

</Event> 
</Language> 

- <Language id="0409"> 

<Versron>0x010000O2</Version> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Se ve r !ty > O < /Se ve rity > 
<Enabled>l</EnabIed> 

</Event> 

- <Event id="2"> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testlng</SHORTDESCRIPT> 
<Seventy > 1</Seventy > 
</Event> 

- <Event ld=="3"> 

<LONGDESCRIPT>Text of event 3,</L0NGDESCRIPT> 
<SH0RTDESCRIPT>Testmg</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 

- < Event id="4"> 

<LONGDESCRIPT>Text of event 4.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testfng</SHORTDESCRIPT> 

< Se ve rity > 1 </Seve rity > 
</Event> 

</Language> 
</Product> 
:/AMGEvents> 



XML DATA 
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<?xml version="1.0" encodfng=="UTF-8" ?> 

<!— edited with XbfL Spy v4.a.l 0 (http://www.xmlspy.com) by Napalm 
{Napalm) — > 

- <xs:schema target1siamespace='"http://www.naLcom'' 
xmfns="http://www.nai-com" 

xmlns:xs="http://www.w3.org/2001/XMLSchema" 
elementFormE>efault=''quallfied"> 

<xs:element name^r^DIsplayName" type^^xsrstring" /> 
<xs:element name=" Enabled" type="xs:boolean" /> 
<xs:complexType name="EventType"> 

- <xs:all> 

<xs:element ref="LONGDESCRIPT" /> 
<xs: element ref=''SHORTDESCRIPT" /> 
<xs:element ref= "Severity" /> 
<xs:element ref="Enabled" minOccurs="0" /> 
</xs:all> 

<xs:attribute name="ld" type="xs:strlng- use^^required" /> 
</xs: complexTy pe> 

- <xs:complexType nanie^"LanguageType"> 

- <xs:sequence> 

<xs:element ref="Version" /> 
<xs:element name=''Event" type=*'EventType'' 
maxOccurs=''unbounded" /> 
</xs:sequence> 

<xs:attribute name="id" type="xs:string" use:==''required" /> 
</xs: complexTy pe> 

- <xs:element name^^Product" > 

- <xs: complexTy pe> 

- <xs:sequence> 

<xs:element ref=''Version'' /> 
<xs:element ref^^DispIayName" /> 
<xs:element name="Language'' type=="LanguageType" 
maxOccurs^^^^unbounded" /> 
</xs:sequence> 

<xs:attribute name="ld" type=''xs:string'' use=''required" /> 
</xs : comp lexTy pe > 
</xs:element> 

- <xs:element name:="AMGEvents''> 

- <xs: complexTy pe> 

- <xs:sequence> 

<xs:element ref="Product" maxOccurs= "unbounded" /> 

</xs:sequence> 
</xs : complexTy pe > 
</xs:element> 

<xs:element name="LONGDESCRIPT" type="xs:string'' /> 
<xs:element name="SHORTDESCRIPT" type="xs:string" /> 
<xs:element name="Severity" type="xs:strlng" /> 
<xs: element name=: "Version" type="xs:string" /> 
</xs; schema > 

XSD DATA 
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